Microsoft’s regular patch day includes patches for zero-days and bugs already under exploitation, along with three vulnerabilities rated critical.
One of the critical vulnerabilities, CVE-2023-36052, is important enough to receive a detailed technical discussion in this blog post.
The bug leaks credentials to GitHub Actions logs through the Azure command-line interface (CLI).
Aviad Hahami of Palo Alto’s Prisma Cloud found that Azure CLI commands could be used to show sensitive data and output to continuous integration and continuous deployment (CI/CD) logs, Microsoft explained.
As well as making changes to “Azure Pipelines, GitHub Actions, and Azure CLI” to improve secret redaction, Microsoft gives customer guidance to help avoid revealing secrets through the CLI.
The other two critical vulnerabilities are CVE-2023-36400 and CVE-2023-36397.
CVE-2023-36400 gives an attacker privilege escalation via Windows hash-based message authentication code (HMAC) key derivation, available to an attacker already logged into the system.
“A successful attack could be performed from a low privilege Hyper-V guest. The attacker could traverse the guest's security boundary to execute code on the Hyper-V host execution environment,” Microsoft said.
This would give the attacker SYSTEM privileges.
CVE-2023-36397 is a remote code execution (RCE) vulnerability if Pragmatic General Multicast (PGM) server is running a message queuing service.
“An attacker could send a specially crafted file over the network to achieve remote code execution and attempt to trigger malicious code,” Microsoft’s advisory stated.
The exploited vulnerabilities include CVE-2023-36036, CVE-2023-36025, and CVE-2023-36033.
CVE-2023-36033, an elevation of privilege vulnerability in the Windows desktop window manager (DWM) core library, only has a CVSS score of 7.8, but was disclosed prior to this patch, and has been exploited to give attackers SYSTEM privileges.
CVE-2023-36036 is a bug in the Windows Cloud mini filter driver, once again exploited to escalate an attacker to SYSTEM privileges.
CVE-2023-36025 is a security bypass bug in Windows Smart Screen, exploited if an attacker can get a victim to click on a crafted URL, or a link pointing to an Internet shortcut file.
As the SANS Institute’s Johannes Ullrich explains in his Patch Tuesday rollup, Microsoft has also shipped patches for the third-party Kubernetes, FRRouting, Traceroute and PyYAML packages used in its Mariner Linux distribution.